Social engineering and its consequences.

Social engineering and its consequences.

While the media highlight increasingly sophisticated cyber-attacks, decision-makers could easily forget that humans are one of the main weak links of IT security. According to the latest IBM – Ponemon Institute report published in 2016, 25% of data leaks are due to human error or negligence.

| Social engineering is about exploiting human weakness to obtain goods, services or key information.

Social engineering existed before the digital era. For example, during the 2000s, organized scammers used personal information available in Alumni directories to impersonate alumni of a prestigious university and extract money from their fellow classmates.

There is no need today to use malware or ransomware to access personal information: it is readily available on social media such as Facebook and LinkedIn. A white paper published by Alban Jarry in 2016 shows that 43% of people accept strangers on their LinkedIn network[1].

The president of a French bank recently showed us the Facebook profile of an individual allegedly working at the bank and trying to get in touch with clients: fake profile, fake identity obviously … In the same manner, how do you know who is behind the LinkedIn profile inviting you?

These “simple” techniques allow fraudsters to deceitfully obtain key information about a payer, a supplier… and subsequently impersonate them to initiate fraudulent wire transfers.

President’s scam (Source: Law enforcement, translated by Bleckwen)

According to Grand Thornton, at least 3 out of 4 companies were targeted by fraud attempts over the past two years. If 80% of all attempts are failures, successful attacks can cause damages upward of $10 million.

| $2.3 billion were stolen from businesses between 2013 and 2016, according to the FBI, and the number of victims identified in 2015 increased by 270%[2].

The phenomenon is significant, and companies have begun to build walls to contain it, implementing behavioral measures (e.g.: paying attention to corporate data published on personal social media, refraining from clicking on suspicious e-mails originating from unknown parties…), business processes to improve internal controls, etc. But these measures are not sufficient, even if correctly applied, because they still rely too much on the humans. This is the reason why new solutions are emerging, based on machine learning and big data processing. They automate more and more effectively the process of detecting attacks and fraud, in addition to human activities and processes.